1 signature scheme based on the root extraction problem over braid groups b.c. wang, y.p. hu iet...

1

Signature scheme based on the root extraction problem over braid groups

B.C. Wang, Y.P. HuIET Information security 2009, Vol 3, Iss 2, pp. 53-59

2

Outline Induction Preliminaries The proposed signature scheme Performance and parameter specification Security analysis Conclusion

3

Induction Artin’s braid group

Infinite non-commutative group Word problem is solvable

RP and CSP are intractable over braid group CSP has an exponential computational complexity

at least in the worst case The braid-based cryptography has been a hot issue

4

Induction Anshel et al. 1999 - 2003

The commutator key agreement protocol Generalised and axiomatically

Ko et al. 2000 The key exchange protocol PKC based on the computational DHCP

5

Induction Cha et al. 2001

The cryptosystem can be modified based on DP Ko et al. 2002

The signature scheme based on k-simultaneous CSP Dehornoy

The authentication protocol based on shifted CP Some other

The authentication protocol based on PR

6

Induction Hughes and Myasnikov et al.

The k-simultaneous CSP always provides the attackers sufficient information about the common comjugator braid

The Burau represenation The sufficiently many equations derived from the k-

simultaneous CSP allow the attacker to lift the Burau matrix rep. back to the Artin form

7

Induction Linear algebraic problem Diffie-Hellman type problem DP Shifted CSP Some authors even announced the death of the

subject It is hoped that cryptographic algorithm

constructed based on the RP should be more secure

8

Induction Two reasons to illustrate the insecurities of

previous braid PKC algorithm The security of these schemes is not tightly related

to the underlying intractable problem The public keys of some schemes reveal too much

information about the construction of the crpytographic algorithm The attacker can obtain many equations with respect to

the public and secret keys

9


10

Preliminaries Let

len(u) = p, len(v) = q Compute the LCF of uv = O(pqnlogn) Compute the inverse u-1 of u = O(pn) 0 len(≦ uv) ≦ p + q len(u) len(≒ u-1)

1

1

...

...

kn p

ln q

u a a

v b b

11

Preliminaries Conjugancy search problem, CSP

Given x ~ y, find a conjugator z s.t. y = zxz-1

Root problem, RP Given y ∈ Bn, integer e 2 s.t. ≧ y = xe for some

unknow braid x

12


13

The proposed signature scheme n : braid index e : integer, e 2≧ H : a collision-free one-way hash function

H : {0, 1}* → {0, 1}k

14

The proposed signature scheme Key generation

Randomly chooses k + 1 non-trivial braids b1, …, bk, r ∈ Bn, s.t. bi and bj commutate, i, j = 1, …, k.

Computes ai = rbier-1, i = 1, …, k

The public key is (a1, …, ak) The secret key is (b1, …, bk, r)

15

The proposed signature scheme Signing a message

To sign a given message m, Alice randomly choose a braid s ∈ Bn.

She calculates

The signature for the message m is (u, t)

11

1

1

( ) ... ,

i

k

khi

i

H m h h t sr

u s b s

16

The proposed signature scheme Verification

Bob computes

Verifies the equation

If the equation holds, he accepts the signature (u, t) as a valid signature for m. Otherwise, he rejects it.

1

1

i

khi

i

e

v a

u tvt

17

The proposed signature scheme Verification

1 1 1

1

1 1 1

1

1

1

1

1

1

1

i

i

i

i

i

khi

i

k hei

i

hkei

i

ekhi

i

ekhi

i

e

tvt sr a rs

sr rb r rs

s b s

s b s

s b s

u

18


19

Performance and parameter specification Parameter specifications

How to find the bi and bj commutative, i, j = 1, …, k. Randomly choose commutative braids c1, …,cs,

where s << k, e.g. s ≒ k / 10. Randomly choose k s-dimensional vectors v1, …, vk,

where vi = (vi1, …, vis), i = 1, …, k, and vij are small integers.

Computes

we have k commutative braids b1, …, bk.

1

, 1,...,ijs

vi j

j

b c i k

20

Performance and parameter specification

Parameter specifications ci in the subgroup <σj1, …, σjl> ⊂ Bn satisfy the

requirement that for arbitrary ju and jv, ju ≠ jv, |ju - jv| 2.≧

The subgroup <σj1, …, σjl> is a commutative group.

21

Performance and parameter specification Suggested parameters

n = 90, e = 2, k = 80, s = k / 10 = 8, len(ci) = 2 vi = <vi1, …, vis> {0, 1}∈ 8, and 1≦vi1 + … + vis 3≦ bi has 8 + 28 + 56 = 92 > 80 choices len(bi) 3len(≦ ci) = 6 len(r) = 8, len(s) = 8 len(ai) = len(r) + e × len(bi) + len(r-1) = 28 The public key size = 80 × 28 = 2240 bits The secret key size = k × len(bi) + len(r) = 488 bits

22

Performance and parameter specification

Computational complexity and comparison 1024-RSA modular multiplication = 2.1 × 106 bit

operation Total computational cost to sign a message =

6.2×106 ≒ 3 1024-RSA modular multiplication The verifier need 3.7×107 ≒ 17 1024-RSA modular

multiplication

23


24

Security analysis Key recovery attack

Attacker can not lift the Burau matrix rep. back to the Artin braids.

Attacker can not know the secret key by the public key.

25

Security analysis On forging a signature

For a given message m, an attacker can forge a valid signature (u, t) iff he can extract the eth root for the braid v ∈ Bn

On extracting the eth root The attacker can not use the knowledge of the

signature to solve the RP.

26

Security analysis Security comparison and remarks

27


28

Conclusions 詳細介紹 braid group的興衰提出前人的不足

Loosely dependent on the hard problem Public key leak too much information

提出簡單的証明方式

1 signature scheme based on the root extraction problem over braid groups b.c. wang, y.p. hu iet...

Documents